Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient policy enforcement in the Chrome DevTools component allowed a remote attacker, having already compromised a renderer process, to craft a malicious HTML page that could potentially lead to bypassing the renderer sandbox and gaining wider system access. The vulnerability is identified as a medium severity issue by Chromium’s own security team, indicating that, while it does not directly expose remote code execution without prior compromise, it significantly raises the potential for privilege escalation within the browser’s sandboxed environment.

Affected Systems

Affected systems include all versions of Google Chrome prior to 150.0.7871.47 for desktop operating systems. The issue is specific to the DevTools feature and does not affect other Chrome components directly.

Risk and Exploitability

Risk analysis shows that the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Because exploitation requires an already compromised renderer process, the likelihood of a successful attack is limited to contexts where such a foothold can be achieved, such as through malicious extensions or zero‑day content. Despite the absence of an EPSS value, the medium Chromium severity suggests a non‑negligible risk, especially in environments that allow unrestricted DevTools usage or where renderer sandboxing is weakened. The lack of KEV inclusion indicates no publicly known exploits have yet been documented for this flaw.

Generated by OpenCVE AI on July 1, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to 150.0.7871.47 or later according to the official stable channel update.
  • Disable DevTools for untrusted or externally hosted content by configuring the browser policy or limiting user access to developer tools.
  • Monitor for anomalous sandbox escape behavior and apply endpoint protection to detect possible renderer process compromise.

Generated by OpenCVE AI on July 1, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title Insufficient policy enforcement in Chrome DevTools allows potential sandbox escape for compromised renderer
Weaknesses CWE-1188
CWE-829

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:17.823Z

Reserved: 2026-06-29T23:03:49.722Z

Link: CVE-2026-13909

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:45:06Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere